WO2010079694A1 - Security monitoring method, security monitoring system, and security monitoring program - Google Patents

Security monitoring method, security monitoring system, and security monitoring program Download PDF

Info

Publication number
WO2010079694A1
WO2010079694A1 PCT/JP2009/071426 JP2009071426W WO2010079694A1 WO 2010079694 A1 WO2010079694 A1 WO 2010079694A1 JP 2009071426 W JP2009071426 W JP 2009071426W WO 2010079694 A1 WO2010079694 A1 WO 2010079694A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
transmission
observation
policy
knowledge
Prior art date
Application number
PCT/JP2009/071426
Other languages
French (fr)
Japanese (ja)
Inventor
啓 榊
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to US13/133,722 priority Critical patent/US20110265184A1/en
Priority to JP2010545720A priority patent/JP5447394B2/en
Publication of WO2010079694A1 publication Critical patent/WO2010079694A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to a security monitoring method, a security monitoring system, and a security monitoring program for acquiring a plurality of observation information representing a security state of a device and performing security judgment based on a policy based on the observation information.
  • Patent Document 1 An example of a conventional security state monitoring system is described in Patent Document 1.
  • a state verifier that checks whether a computer is safe is arranged in the computer, a state certificate that proves that the computer is secure is created in the computer to be checked, and the state is A certificate is being sent.
  • this configuration it is possible to monitor whether or not each device is secure with a smaller communication volume than transmitting the state of each device.
  • Patent Document 2 an example of agent technology for reducing the amount of communication is described in Patent Document 2.
  • Patent Literature 2 when synchronizing data between agents or obtaining information held by other agents, which agent can be queried to obtain correct information? The amount of communication required to learn and search for agents is reduced.
  • the first problem is that there is a large amount of transmission for transmitting detailed information of each device necessary for security monitoring.
  • the second problem is that in the conventional method in which the transmission amount is reduced, one policy cannot be created by combining the states of a plurality of devices.
  • An object of the present invention is to provide a security monitoring method, a security monitoring system, and a security monitoring program capable of monitoring the security of a plurality of devices with a small amount of communication.
  • the security monitoring method of the present invention holds transmission information defined by representative information by collecting related observation information, determines whether security determination by policy is possible only by transmission information instead of observation information, If possible, send information instead of all or part of the observation information.
  • the security monitoring system of the present invention A policy storage means for storing a policy as a reference for determining whether the monitored system is secure; In order to determine whether the monitored system is secure, observation information that is information on each device, and observation knowledge storage means that stores observation knowledge describing the determination method of the observation information, System analysis means for analyzing the state of the monitored system based on the observation knowledge stored in the observation knowledge storage means; Instead of transmitting all observation knowledge analyzed by the system analysis means, transmission knowledge storage means for storing a combination of transmission knowledge and observation information, which is knowledge to be transmitted, Receives observation knowledge analyzed by system analysis means, receives policy from policy storage means, and transmits transmission knowledge storage to determine whether sending information instead of sending individual observation information will affect policy judgment Transmission knowledge determination means for determining based on information stored in the means; And information transmission means for transmitting the observation information and the transmission information determined by the transmission knowledge determination means not to affect the policy determination.
  • the system analysis unit determines that the transmission information should be transmitted by the transmission knowledge determination unit instead of the plurality of observation information observed by each device, the transmission information is transmitted instead of the plurality of observation information. Operates to send.
  • the present invention has the following effects.
  • the amount of information to be transmitted can be reduced.
  • the reason is that, instead of sending all the observed information, information that can be judged to have no influence on policy judgment is sent together.
  • FIG. 1 is a block diagram of a security monitoring system according to the first embodiment of this invention.
  • FIG. 2 is a flowchart showing the operation of the security monitoring system according to the first embodiment.
  • FIG. 3 is a block diagram of a security monitoring system according to the second embodiment of this invention.
  • FIG. 4 is a flowchart showing the operation of the security monitoring system according to the second embodiment.
  • FIG. 5 is a block diagram of a security monitoring system according to the third embodiment of this invention.
  • FIG. 6 is a flowchart showing the operation of the security monitoring system of the third exemplary embodiment.
  • FIG. 7 is a block diagram of an application example of the security monitoring system of the third embodiment.
  • FIG. 8 is a table showing specific examples of observation knowledge.
  • FIG. 9 is a table showing specific examples of observation information.
  • FIG. 10 is a table showing a specific example of transmission knowledge.
  • a security monitoring system includes a policy input unit 11, a policy storage unit 12, an observation knowledge storage unit 13, a system analysis unit 14, a transmission knowledge storage unit 15, and a transmission knowledge determination unit. 16 and an information transmission unit 17 are included.
  • the policy input unit 11 is a means for the security monitor to input a policy that defines a secure state by combining observation information of each device.
  • the policy storage unit 12 is a means for storing a policy defined using observation information, which is a criterion for determining whether the security monitoring target system is secure, which is input from the policy input unit 11.
  • b1, b2, and b3 are values of observation information.
  • P B1
  • P may be composed of a plurality of rules, and may have a priority.
  • any of p1, ..., pn can be established when judging a policy, but if one of them is judged in order from p1 and takes a true value, the subsequent rules This is a method for determining that the policy is true without making the above determination.
  • the observation knowledge storage unit 13 includes system information necessary for determining the risk of the security monitoring target system, that is, observation information that is information on each device for determining whether it is secure, an analysis method for the observation information, Is a means for storing observation knowledge that describes.
  • the system analysis unit 14 receives observation information including system information to be analyzed from the observation knowledge storage unit 13 and the analysis method thereof, analyzes the system configuration and state, and calculates the value of each observation information. Means for taking out from the monitored system.
  • the value of each observation information is extracted by embedding a program in each device, or using means prepared in advance for management such as a CIM (Computer Integrated Manufacturing) database or SMTP (Simple Mail Transfer Protocol).
  • CIM Computer Integrated Manufacturing
  • SMTP Simple Mail Transfer Protocol
  • the transmission knowledge storage unit 15 stores a combination of transmission information and observation information, which is knowledge to be transmitted, instead of transmitting all the observation information analyzed by the system analysis unit 14.
  • the transmission knowledge storage unit 15 is linked to the observation information in the same device, the observation information of the same application, the observation information of the same service, etc.
  • observation information such as the information that changes in value and the observation status that is considered to be changed at the same time when setting up equipment and services, etc.
  • the transmission information that is defined as a state in which the grouped observation states are grouped together and the transmission knowledge that is a correspondence between the observation states collected at that time are stored. A specific example of transmission knowledge is shown in FIG.
  • the transmission knowledge determination unit 16 receives the observation information analyzed by the system analysis unit 14, further receives a policy from the policy storage unit 12, and transmits transmission information instead of transmitting individual observation information. Determine if there is no impact.
  • the combination of observation information that does not affect policy determination is stored as information, and when the combination stored in the transmission knowledge storage unit 15 has a matching information combination, The combination is determined as a combination that does not affect policy determination. That is, the transmission knowledge determination unit 16 receives the transmission knowledge from the transmission knowledge storage unit 15 and the policy from the policy storage unit 12, and is divided and used in the policy out of the grouped observation information included in the transmission knowledge.
  • observation information that is always used in combination with a policy, and determining that transmission information is transmitted instead of observation information in that case, and that observation information is transmitted in other cases.
  • a plurality of pieces of observation information can be collected into a smaller number of pieces of transmission information than the number of pieces of observation information that do not affect the policy determination result.
  • the information transmitting unit 17 transmits the observation information and the transmission information determined to be transmitted by the transmission knowledge determining unit 16, that is, not affecting the policy determination, to the transmission knowledge converting unit (not shown).
  • the transmission amount of the transmission information is smaller than the transmission amount of the plurality of observation information.
  • Transmission information candidates may be determined, the number of observation states may be compared with the number of transmission information candidates, and the transmission information may be transmitted when the number of transmission information candidates is small.
  • a policy is input using the policy input unit 11 and stored in the policy storage unit 12 (step 101).
  • the system analysis unit 14 reads the observation knowledge from the observation knowledge storage unit 13, analyzes the system, inquires the observation target, and determines the value of the observation information (step 102).
  • the transmission knowledge determination unit 16 determines whether to transmit transmission information or observation information based on the transmission knowledge and policy (step 103).
  • the information transmission unit 17 transmits observation information and transmission information (step 104).
  • the transmission knowledge determination unit 16 determines whether or not to transmit transmission information in which a plurality of pieces of observation information are collected within a range that does not affect policy determination. If it is determined that transmission information is to be transmitted, transmission information is transmitted instead of some observation information. Therefore, security can be monitored with a small amount of information transmission.
  • the security monitoring system of the present embodiment includes a policy input unit 11, a policy storage unit 12, an observation knowledge storage unit 13, a system analysis unit 14, a transmission knowledge storage unit 15, and a transmission knowledge determination unit. 16, an information transmission unit 17, a transmission knowledge conversion unit 18, and a policy determination unit 19.
  • the security monitoring system of this embodiment has a configuration in which a transmission knowledge conversion unit 18 and a policy determination unit 19 are added to the security monitoring system of the first embodiment.
  • the transmission knowledge conversion unit 18 uses the observation information and transmission information transmitted by the information transmission unit 17 to determine whether or not they satisfy the policy.
  • the observation information corresponding to the transmission information transmitted from the transmission unit 17 is read from the transmission knowledge storage unit 15, the observation information is replaced with the transmission information, and stored in the transmission knowledge storage unit 15.
  • the transmission knowledge conversion unit 18 uses the observation information and the transmission information transmitted by the information transmission unit 17 to determine whether they satisfy a security policy that defines a secure combination of observation information.
  • the policy determination unit 19 applies the transmission information and the observation information to the policy replaced with the transmission information transmitted by the information transmission unit 17 (substituting the value of each information), and determines whether the policy is satisfied.
  • a policy is input using the policy input unit 11 and stored in the policy storage unit 12 (step 201).
  • the system analysis unit 14 reads the observation knowledge from the observation knowledge storage unit 13, analyzes the system, and determines the value of the observation information (step 202).
  • the transmission knowledge determination unit 16 determines whether to transmit transmission information or observation information based on the transmission knowledge and policy (step 203).
  • the information transmission unit 17 transmits observation information and transmission information (step 204).
  • the policy configured only by the observation information is converted to be configured by the observation information or transmission information transmitted by the information transmission unit 17 so that the policy can be determined (step 205).
  • the policy determination unit 19 determines whether the monitored system satisfies the policy (step 206).
  • the transmission knowledge determination unit 16 determines whether or not to transmit transmission information in which a plurality of pieces of observation information are collected as transmission information within a range that does not affect policy determination. If it is determined to transmit the transmission information, the transmission information is transmitted instead of some observation information, and it is determined whether the policy is satisfied from the transmission information and the observation information. Therefore, security can be monitored with a small amount of information transmission.
  • the security monitoring system of this embodiment further includes a transmission knowledge generation unit 20 in the configuration of the security monitoring system of the second embodiment.
  • the transmission knowledge generation unit 20 extracts the policy from the policy storage unit 12, defines a new state by combining a plurality of observation information among the observation information constituting the policy, and uses the transmission information instead of the plurality of observation information Even so, a combination that does not affect policy determination or does not increase the number of states is extracted, and the correspondence is stored in the transmission knowledge storage unit 15 as transmission knowledge.
  • a combination of observation information that does not affect policy judgment or the number of states does not increase is the same observation information combination in the same device, or the combination of observation information.
  • a part of the observation information to be configured is a combination of states that do not appear in other policies or are not used in combination with other observation information.
  • a specific example of transmission knowledge is shown in FIG.
  • a policy is input using the policy input unit 11 and stored in the policy storage unit 12 (step 301).
  • the transmission knowledge generation unit 20 extracts from the input policy and observation knowledge what can be transmitted collectively from the observation information included in the policy, and newly associates the transmission information with the transmission knowledge storage unit 15 (Step 302).
  • the system analysis unit 14 reads the observation knowledge from the observation knowledge storage unit 13, analyzes the system, and determines the value of the observation information (step 303).
  • the subsequent steps are the same as in the second embodiment (step 304).
  • This embodiment is configured to generate transmission information that can be associated with a plurality of observation information using a policy and observation knowledge. Therefore, it is possible to perform risk analysis with reduced communication volume without generating transmission knowledge in advance.
  • the PC 1 and the network device 2 include a system analysis unit 14, a transmission knowledge determination unit 16, and an information transmission unit 17 that analyze each device.
  • the system monitoring PC 3 includes a policy input unit 11, a policy storage unit 12, a policy determination unit 19, a transmission knowledge storage unit 15, a transmission knowledge conversion unit 18, and an observation knowledge storage unit 13.
  • a user defines a secure state as a policy by combining observation information using a policy creation means (not shown).
  • Observation information indicating filtering rules for network device 2 Deny # rule Observation information indicating filtering rules of firewall software installed on PC1: ClientFWStatus Observation information indicating the filtering rules of the OS installed on PC1: OSFWStatus Observation information indicating the network connection status of PC1: NetworkStatus Observation information representing the IP address of PC1: IPAddress
  • a policy of applying filtering to external connections p1 or disconnecting the network if it cannot be done (p2) (here p1 is set to p2) (Assuming priority)
  • p1 (IPAddress in Deny # rule)
  • OSFWStatu enable
  • the transmission knowledge determination unit 16 determines transmission information from the transmission knowledge and policy.
  • ClientFWStatus, OSFWStatus, NetworkStatus, and IPAddress are associated with the transmission information pc11
  • ClientFWStatus, OSFWStatus, NetworkStatus, and pc14 are associated with ClientFWStatus, OSFWStatus, NetworkStatus, and pc14.
  • NetworkStatus and other observation information are divided into p1 and p2, so if you send pc11 or pc13 that summarizes NetworkStatus and other observation information, each of p1 and p2 cannot be judged.
  • the security monitoring system described above records a program for realizing the function on a computer-readable recording medium, and causes the computer to read and execute the program recorded on the recording medium.
  • the computer-readable recording medium refers to a recording medium such as a flexible disk, a magneto-optical disk, and a CD-ROM, and a storage device such as a hard disk device built in the computer system.
  • the computer-readable recording medium is a medium that dynamically holds the program for a short time (transmission medium or transmission wave) as in the case of transmitting the program via the Internet, and in the computer serving as a server in that case Such as a volatile memory that holds a program for a certain period of time.

Abstract

Disclosed is a security monitoring method comprising acquiring a plurality of pieces of observation information representing security conditions of a device, and determining security by a policy on the basis of the observation information.  Transmission information which defines a representative information for related pieces of observation information is maintained.  It is judged whether or not the security determination by the policy is possible only by the transmission information, instead of the observation information.  If this is possible, the transmission information is transmitted instead of all or a part of the observation information.

Description

セキュリティ監視方法、セキュリティ監視システム、セキュリティ監視プログラムSecurity monitoring method, security monitoring system, and security monitoring program
 本発明は、機器のセキュリティ状態を表す観測情報を複数取得し、該観測情報に基づいてポリシーによるセキュリティ判定をするセキュリティ監視方法、セキュリティ監視システム、およびセキュリティ監視プログラムに関する。 The present invention relates to a security monitoring method, a security monitoring system, and a security monitoring program for acquiring a plurality of observation information representing a security state of a device and performing security judgment based on a policy based on the observation information.
 従来のセキュリティ状態監視システムの一例が特許文献1に記載されている。特許文献1に記載の監視システムでは、コンピュータが安全かどうかを検査する状態検証器をコンピュータ内に配置し、セキュアであることを証明する状態証明書を検査対象のコンピュータ内で作成し、その状態証明書を送信している。このように構成することで、各機器の状態を送信するよりも少ない通信量で各機器がセキュアかどうかを監視することができる。 An example of a conventional security state monitoring system is described in Patent Document 1. In the monitoring system described in Patent Document 1, a state verifier that checks whether a computer is safe is arranged in the computer, a state certificate that proves that the computer is secure is created in the computer to be checked, and the state is A certificate is being sent. With this configuration, it is possible to monitor whether or not each device is secure with a smaller communication volume than transmitting the state of each device.
 また、通信量を削減するエージェント技術の一例が特許文献2に記載されている。特許文献2に記載の従来のエージェント技術では、エージェント間のデータを同期させたり、他のエージェントが保持する情報を取得したりするときに、どのエージェントに対して問い合わせをすると正しい情報を取得できるかを学習し、エージェントを探索したりするために必要な通信量を削減している。 Also, an example of agent technology for reducing the amount of communication is described in Patent Document 2. In the conventional agent technology described in Patent Literature 2, when synchronizing data between agents or obtaining information held by other agents, which agent can be queried to obtain correct information? The amount of communication required to learn and search for agents is reduced.
特開2005-128622号公報JP 2005-128622 A 特開2000-112904号公報JP 2000-112904 A
 上記従来技術は下記のような問題点がある。 The above prior art has the following problems.
 第1の問題点は、セキュリティ監視に必要な各機器の詳細な情報を送信するための送信量が多いということである。 The first problem is that there is a large amount of transmission for transmitting detailed information of each device necessary for security monitoring.
 第2の問題点は、送信量を削減した従来の方式では、複数の機器の状態を組み合わせて1つのポリシーを作ることができないことである。 The second problem is that in the conventional method in which the transmission amount is reduced, one policy cannot be created by combining the states of a plurality of devices.
 本発明の目的は、少ない通信量で複数の機器のセキュリティ監視できるセキュリティ監視方法、セキュリティ監視システム、およびセキュリティ監視プログラムを提供することにある。 An object of the present invention is to provide a security monitoring method, a security monitoring system, and a security monitoring program capable of monitoring the security of a plurality of devices with a small amount of communication.
 本発明のセキュリティ監視方法は、関連性のある観測情報をまとめて代表情報で定義した送信情報を保持し、観測情報の代わりに送信情報だけでもポリシーによるセキュリティ判定が可能か否かを判断し、可能な場合観測情報の全部または一部の代わりに送信情報を送信する。 The security monitoring method of the present invention holds transmission information defined by representative information by collecting related observation information, determines whether security determination by policy is possible only by transmission information instead of observation information, If possible, send information instead of all or part of the observation information.
 また、本発明のセキュリティ監視システムは、
 監視対象システムがセキュアかどうかを判定する基準となるポリシーを格納したポリシー格納手段と、
 監視対象システムがセキュアかどうかを判定するために、各機器の情報である観測情報と、その観測情報の判定方法を記述した観測知識が格納された観測知識格納手段と、
 観測知識格納手段に格納された観測知識を元に監視対象システムの状態を分析するシステム分析手段と、
 システム分析手段が分析したすべての観測知識を送信する代わりに、送信すべき知識である送信知識と観測情報との組み合わせを格納した送信知識格納手段と、
 システム分析手段が分析した観測情報を受け取り、ポリシー格納手段からポリシーを受け取り、個々の観測情報を送信する代わりに送信情報を送信してもポリシーの判定に影響を与えないかどうかを、送信知識格納手段に格納された情報を基に判定する送信知識判定手段と、
 観測情報と、送信知識判定手段が、ポリシーの判定に影響を与えないと判定した送信情報とを送信する情報送信手段と
 を有する。 The security monitoring system of the present invention
A policy storage means for storing a policy as a reference for determining whether the monitored system is secure;
In order to determine whether the monitored system is secure, observation information that is information on each device, and observation knowledge storage means that stores observation knowledge describing the determination method of the observation information,
System analysis means for analyzing the state of the monitored system based on the observation knowledge stored in the observation knowledge storage means;
Instead of transmitting all observation knowledge analyzed by the system analysis means, transmission knowledge storage means for storing a combination of transmission knowledge and observation information, which is knowledge to be transmitted,
Receives observation knowledge analyzed by system analysis means, receives policy from policy storage means, and transmits transmission knowledge storage to determine whether sending information instead of sending individual observation information will affect policy judgment Transmission knowledge determination means for determining based on information stored in the means;
And information transmission means for transmitting the observation information and the transmission information determined by the transmission knowledge determination means not to affect the policy determination.
 本セキュリティ監視システムは、システム分析手段が各機器の観測した複数の観測情報の代わりに送信知識判定手段によって送信情報を送信すべきと判定されたときに、複数の観測情報の代わりに送信情報を送信するよう動作する。 In this security monitoring system, when the system analysis unit determines that the transmission information should be transmitted by the transmission knowledge determination unit instead of the plurality of observation information observed by each device, the transmission information is transmitted instead of the plurality of observation information. Operates to send.
 本発明は次のような効果がある。 The present invention has the following effects.
 第1に、送信する情報を少なくできることである。その理由は、観測したすべての情報を送る代わりに、ポリシーの判定に影響がないと判断できる情報はまとめて送信するためである。 First, the amount of information to be transmitted can be reduced. The reason is that, instead of sending all the observed information, information that can be judged to have no influence on policy judgment is sent together.
 第2に、複数の機器で構成されたシステムのセキュリティ監視ができることにある。その理由は、ポリシーの判定に必要な情報はまとめずに送信できることにある。 Second, it is possible to monitor the security of a system composed of multiple devices. The reason is that information necessary for policy determination can be transmitted without being collected.
図1は本発明の第1の実施形態のセキュリティ監視システムのブロック図である。FIG. 1 is a block diagram of a security monitoring system according to the first embodiment of this invention. 図2は第1の実施形態のセキュリティ監視システムの動作を示すフローチャートである。FIG. 2 is a flowchart showing the operation of the security monitoring system according to the first embodiment. 図3は本発明の第2の実施形態のセキュリティ監視システムのブロック図である。FIG. 3 is a block diagram of a security monitoring system according to the second embodiment of this invention. 図4は第2の実施形態のセキュリティ監視システムの動作を示すフローチャートである。FIG. 4 is a flowchart showing the operation of the security monitoring system according to the second embodiment. 図5は本発明の第3の実施形態のセキュリティ監視システムのブロック図である。FIG. 5 is a block diagram of a security monitoring system according to the third embodiment of this invention. 図6は第3の実施形態のセキュリティ監視システムの動作を示すフローチャートである。FIG. 6 is a flowchart showing the operation of the security monitoring system of the third exemplary embodiment. 図7は第3の実施形態のセキュリティ監視システムの応用例のブロック図である。FIG. 7 is a block diagram of an application example of the security monitoring system of the third embodiment. 図8は観測知識の具体例を示す表である。FIG. 8 is a table showing specific examples of observation knowledge. 図9は観測情報の具体例を示す表である。FIG. 9 is a table showing specific examples of observation information. 図10は送信知識の具体例を示す表である。FIG. 10 is a table showing a specific example of transmission knowledge.
1   PC
2   ネットワーク機器
3   システム監視用PC
11  ポリシー入力部
12  ポリシー格納部
13  観測知識格納部
14  システム分析部
15  送信知識格納部
16  送信知識判定部
17  情報送信部
18  送信知識変換部
19  ポリシー判定部
20  送信知識生成部
101~104、201~206、301~304 ステップ 1 PC
2 Network equipment
3 PC for system monitoring
11 Policy input section
12 Policy storage
13 Observation knowledge storage
14 System Analysis Department
15 Transmission knowledge storage
16 Transmission knowledge judgment unit
17 Information transmitter
18 Transmission knowledge converter
19 Policy judgment section
20 Transmission knowledge generator
101-104, 201-206, 301-304 steps
 次に、本発明を実施するための最良の形態について図面を参照して詳細に説明する。 Next, the best mode for carrying out the present invention will be described in detail with reference to the drawings.
 第1の実施形態
 図1を参照すると、本実施形態のセキュリティ監視システムはポリシー入力部11とポリシー格納部12と観測知識格納部13とシステム分析部14と送信知識格納部15と送信知識判定部16と情報送信部17とを含む。 First Embodiment Referring to FIG. 1, a security monitoring system according to this embodiment includes a policy input unit 11, a policy storage unit 12, an observation knowledge storage unit 13, a system analysis unit 14, a transmission knowledge storage unit 15, and a transmission knowledge determination unit. 16 and an information transmission unit 17 are included.
 ポリシー入力部11は、セキュリティ監視者が各機器の観測情報を組み合わせてセキュアな状態を定義したポリシーを入力するための手段である。 The policy input unit 11 is a means for the security monitor to input a policy that defines a secure state by combining observation information of each device.
 ポリシー格納部12は、ポリシー入力部11から入力された、セキュリティ監視対象システムがセキュアであるかどうかを判定する基準である、観測情報を用いて定義されたポリシーを格納する手段である。ポリシーは、真偽値をとる式であり、たとえば観測情報がa1,a2,a3,a4とあるときにポリシーP=((a1=b1)∧!a2)∨((a3=b1)∧(a4!=b1))とかける。ここで、b1,b2,b3は、観測情報の値である。Pが真のとき、監視対象システムはセキュアとなる。この場合、(a1=b1)と!a2がともに真のときまたは、(a3=b1), (a4!=b1)がともに真のときPが真となり、監視対象システムはセキュアと判定できる。Pは複数のルールから構成されていてもよく、また優先順位があってもよい。Pが複数のルールから構成されているとは、P=(p1,p2,p3,…)で構成されている場合で、p1,p2,…,pnが、それぞれ真偽値をとる式である場合である。優先順位があるとは、一般にポリシーを判定するときに、p1,…,pnのどれが成り立ってもよいが、p1から順に判定していきひとつでも真の値をとる場合は、それ以降のルールの判定をせずにポリシーが真であると判定する方法である。逆に、ルールのひとつでも偽であった場合にポリシーを偽と判定する方法もある。 The policy storage unit 12 is a means for storing a policy defined using observation information, which is a criterion for determining whether the security monitoring target system is secure, which is input from the policy input unit 11. The policy is an expression that takes a Boolean value.For example, when the observation information is a1, a2, a3, a4, policy P = ((a1 = b1) ∧! A2) ∨ ((a3 = b1) ∧ (a4 ! = b1)). Here, b1, b2, and b3 are values of observation information. When P is true, the monitored system is secure. In this case, when (a1 = b1) and! A2 are both true, or (a3 = b1) and (a4! = B1) are both true, P becomes true, and the monitored system can be determined to be secure. P may be composed of a plurality of rules, and may have a priority. P is composed of a plurality of rules when P = (p1, p2, p3, ...) and p1, p2, ..., pn are expressions that each take a true / false value. Is the case. In general, when there is a priority, any of p1, ..., pn can be established when judging a policy, but if one of them is judged in order from p1 and takes a true value, the subsequent rules This is a method for determining that the policy is true without making the above determination. Conversely, there is also a method for determining that a policy is false when one of the rules is false.
 観測知識格納部13は、セキュリティ監視対象システムのリスクを判定するために必要なシステム情報、すなわちセキュアかどうかを判定するための、各機器の情報である観測情報と、その観測情報の分析方法とを記述した観測知識を格納する手段である。 The observation knowledge storage unit 13 includes system information necessary for determining the risk of the security monitoring target system, that is, observation information that is information on each device for determining whether it is secure, an analysis method for the observation information, Is a means for storing observation knowledge that describes.
 システム分析部14は、観測知識格納部13から分析すべきシステム情報となる観測情報と、その分析方法とを含んだ観測知識を受け取り、システムの構成や状態を分析し、各観測情報の値を監視対象システムから取り出す手段である。各観測情報の値の取り出しは、各機器にプログラムを埋め込んで取り込むか、CIM(Computer Integrated Manufacturing)データベースやSMTP(Simple Mail Transfer Protocol)などの管理用に予め用意された手段を用いて行なう。観測知識の具体例を図8に示し、観測情報の具体例を図9に示す。 The system analysis unit 14 receives observation information including system information to be analyzed from the observation knowledge storage unit 13 and the analysis method thereof, analyzes the system configuration and state, and calculates the value of each observation information. Means for taking out from the monitored system. The value of each observation information is extracted by embedding a program in each device, or using means prepared in advance for management such as a CIM (Computer Integrated Manufacturing) database or SMTP (Simple Mail Transfer Protocol). A specific example of observation knowledge is shown in FIG. 8, and a specific example of observation information is shown in FIG.
 送信知識格納部15は、システム分析部14が分析した全ての観測情報を送信する代わりに、送信すべき知識である、送信情報と観測情報との組み合わせを格納している。すなわち、送信知識格納部15は、観測情報のうち同一の機器内にある観測情報や、同一機器にあったり、同一のアプリケーションの観測情報であったり、同一サービスの観測情報であったりといった、連動して値が変化する情報や、機器やサービスのセットアップ時などに一斉に変更されると考えられる観測状態など、観測情報の連動性や変更タイミングや同種、同一機器内といった観測情報の依存性によって、グループ化された観測状態をひとまとめにした状態として定義した送信情報と、そのときまとめられた観測状態の対応付けである送信知識を格納する。送信知識の具体例を図10に示す。 The transmission knowledge storage unit 15 stores a combination of transmission information and observation information, which is knowledge to be transmitted, instead of transmitting all the observation information analyzed by the system analysis unit 14. In other words, the transmission knowledge storage unit 15 is linked to the observation information in the same device, the observation information of the same application, the observation information of the same service, etc. Depending on the dependency of observation information, such as the information that changes in value and the observation status that is considered to be changed at the same time when setting up equipment and services, etc. The transmission information that is defined as a state in which the grouped observation states are grouped together and the transmission knowledge that is a correspondence between the observation states collected at that time are stored. A specific example of transmission knowledge is shown in FIG.
 送信知識判定部16は、システム分析部14が分析した観測情報を受け取り、さらに、ポリシー格納部12からポリシーを受け取り、個々の観測情報を送信する代わりに送信情報を送信してもポリシーの判定に影響を与えないかどうかを判定する。送信知識格納部15には、ポリシーの判定に影響を与えない、観測情報の組み合わせが情報として格納されており、送信知識格納部15に格納された組み合わせに、合致する情報の組み合わせがあるとき、その組み合わせをポリシーの判定に影響を与えない組み合わせと判定する。すなわち、送信知識判定部16は、送信知識格納部15から送信知識を、ポリシー格納部12からポリシーを受け取り、送信知識に含まれるグループ化された観測情報のうち、ポリシー内で分割して利用されていない、すなわちポリシーと常に組み合わされて利用される観測情報を取り出し、その場合には観測情報ではなく送信情報を送信し、それ以外の場合には観測情報を送信すると判定する手段である。複数の観測情報を、ポリシーの判定結果に影響を与えない観測情報の数より少ない数の送信情報にまとめることができる。 The transmission knowledge determination unit 16 receives the observation information analyzed by the system analysis unit 14, further receives a policy from the policy storage unit 12, and transmits transmission information instead of transmitting individual observation information. Determine if there is no impact. In the transmission knowledge storage unit 15, the combination of observation information that does not affect policy determination is stored as information, and when the combination stored in the transmission knowledge storage unit 15 has a matching information combination, The combination is determined as a combination that does not affect policy determination. That is, the transmission knowledge determination unit 16 receives the transmission knowledge from the transmission knowledge storage unit 15 and the policy from the policy storage unit 12, and is divided and used in the policy out of the grouped observation information included in the transmission knowledge. In other words, it is means for taking out observation information that is always used in combination with a policy, and determining that transmission information is transmitted instead of observation information in that case, and that observation information is transmitted in other cases. A plurality of pieces of observation information can be collected into a smaller number of pieces of transmission information than the number of pieces of observation information that do not affect the policy determination result.
 情報送信部17は、送信知識判定部16が送信すべき、すなわちポリシーの判定に影響を与えないと判定した観測情報と送信情報とを送信知識変換部(不図示)に送信する。ここで、送信情報の伝送量は、複数の観測情報の伝送量より少ない。送信情報の候補を決定し、観測状態の数と送信情報の候補数を比較し、送信情報の候補数が少ない場合に、送信情報を送信するようにしてもよい。 The information transmitting unit 17 transmits the observation information and the transmission information determined to be transmitted by the transmission knowledge determining unit 16, that is, not affecting the policy determination, to the transmission knowledge converting unit (not shown). Here, the transmission amount of the transmission information is smaller than the transmission amount of the plurality of observation information. Transmission information candidates may be determined, the number of observation states may be compared with the number of transmission information candidates, and the transmission information may be transmitted when the number of transmission information candidates is small.
 次に、本実施の形態の全体の動作について図1および図2のフローチャートを参照して詳細に説明する。 Next, the overall operation of the present embodiment will be described in detail with reference to the flowcharts of FIGS.
 まず、ポリシー入力部11を用いてポリシーを入力し、ポリシー格納部12に格納する(ステップ101)。次に、システム分析部14が、観測知識格納部13から観測知識を読み込み、システムを分析し、観測対象に問い合わせて観測情報の値を決定する(ステップ102)。次に、送信知識判定部16が、送信知識とポリシーを元に送信情報を送信するか観測情報を送信するかを判定する(ステップ103)。最後に、送信知識判定部16の判定に従い、情報送信部17が観測情報と送信情報を送信する(ステップ104)。 First, a policy is input using the policy input unit 11 and stored in the policy storage unit 12 (step 101). Next, the system analysis unit 14 reads the observation knowledge from the observation knowledge storage unit 13, analyzes the system, inquires the observation target, and determines the value of the observation information (step 102). Next, the transmission knowledge determination unit 16 determines whether to transmit transmission information or observation information based on the transmission knowledge and policy (step 103). Finally, according to the determination of the transmission knowledge determination unit 16, the information transmission unit 17 transmits observation information and transmission information (step 104).
 次に、本実施の形態の効果について説明する。 Next, the effect of this embodiment will be described.
 本実施の形態では、複数の観測情報をまとめた送信情報を送信するかどうかを、ポリシーの判定に影響を与えない範囲で、送信知識判定部16が判定する。送信情報を送信すると判定されれば、いくつかの観測情報の代わりに送信情報を送信する。したがって、少ない情報の送信量でセキュリティ監視できる。 In the present embodiment, the transmission knowledge determination unit 16 determines whether or not to transmit transmission information in which a plurality of pieces of observation information are collected within a range that does not affect policy determination. If it is determined that transmission information is to be transmitted, transmission information is transmitted instead of some observation information. Therefore, security can be monitored with a small amount of information transmission.
 第2の実施形態
 図3を参照すると、本実施形態のセキュリティ監視システムはポリシー入力部11とポリシー格納部12と観測知識格納部13とシステム分析部14と送信知識格納部15と送信知識判定部16と情報送信部17と送信知識変換部18とポリシー判定部19とを含む。 Second Embodiment Referring to FIG. 3, the security monitoring system of the present embodiment includes a policy input unit 11, a policy storage unit 12, an observation knowledge storage unit 13, a system analysis unit 14, a transmission knowledge storage unit 15, and a transmission knowledge determination unit. 16, an information transmission unit 17, a transmission knowledge conversion unit 18, and a policy determination unit 19.
 本実施形態のセキュリティ監視システムは、第1の実施形態のセキュリティ監視システムに対して、送信知識変換部18とポリシー判定部19が付加された構成である。 The security monitoring system of this embodiment has a configuration in which a transmission knowledge conversion unit 18 and a policy determination unit 19 are added to the security monitoring system of the first embodiment.
 送信知識変換部18は、情報送信部17が送信した観測情報と送信情報とを用いて、それらがポリシーを満たしているかどうかを判定するために、観測情報のみで定義されたポリシーのうち、情報送信部17から送られてきた送信情報に対応する観測情報を送信知識格納部15から読み込み、該観測情報を該送信情報で置き換え、送信知識格納部15に格納する。あるいは、送信知識変換部18は、情報送信部17が送信した観測情報と送信情報とを用いて、それらが、観測情報のセキュアな組み合わせを定義したセキュリティポリシーを満たしているかどうかを判定する。 The transmission knowledge conversion unit 18 uses the observation information and transmission information transmitted by the information transmission unit 17 to determine whether or not they satisfy the policy. The observation information corresponding to the transmission information transmitted from the transmission unit 17 is read from the transmission knowledge storage unit 15, the observation information is replaced with the transmission information, and stored in the transmission knowledge storage unit 15. Alternatively, the transmission knowledge conversion unit 18 uses the observation information and the transmission information transmitted by the information transmission unit 17 to determine whether they satisfy a security policy that defines a secure combination of observation information.
 ポリシー判定部19は、情報送信部17が送信してきた送信情報で置き換えられたポリシーに送信情報と観測情報を当てはめ(各情報の値を代入し)、ポリシーが満たされるか否かを判定する。 The policy determination unit 19 applies the transmission information and the observation information to the policy replaced with the transmission information transmitted by the information transmission unit 17 (substituting the value of each information), and determines whether the policy is satisfied.
 次に、本実施の形態の全体の動作について図3および図4のフローチャートを参照して詳細に説明する。 Next, the overall operation of the present embodiment will be described in detail with reference to the flowcharts of FIG. 3 and FIG.
 まず、ポリシー入力部11を用いてポリシーを入力し、ポリシー格納部12に格納する(ステップ201)。次に、システム分析部14が、観測知識格納部13から観測知識を読み込み、システムを分析し、観測情報の値を決定する(ステップ202)。次に、送信知識判定部16が、送信知識とポリシーを元に送信情報を送信するか観測情報を送信するかを判定する(ステップ203)。次に、送信知識判定部16の判定に従い、情報送信部17が観測情報と送信情報を送信する(ステップ204)。さらに、観測情報だけで構成されたポリシーをポリシーの判定が可能なように、情報送信部17が送信した観測情報または送信情報で構成されるように変換する(ステップ205)。最後に、監視対象システムがポリシーを満たしているかどうかをポリシー判定部19が判定する(ステップ206)。 First, a policy is input using the policy input unit 11 and stored in the policy storage unit 12 (step 201). Next, the system analysis unit 14 reads the observation knowledge from the observation knowledge storage unit 13, analyzes the system, and determines the value of the observation information (step 202). Next, the transmission knowledge determination unit 16 determines whether to transmit transmission information or observation information based on the transmission knowledge and policy (step 203). Next, according to the determination of the transmission knowledge determination unit 16, the information transmission unit 17 transmits observation information and transmission information (step 204). Further, the policy configured only by the observation information is converted to be configured by the observation information or transmission information transmitted by the information transmission unit 17 so that the policy can be determined (step 205). Finally, the policy determination unit 19 determines whether the monitored system satisfies the policy (step 206).
 次に、本実施の形態の効果について説明する。 Next, the effect of this embodiment will be described.
 本実施の形態では、複数の観測情報を送信情報でまとめた送信情報を送信するかどうかを、ポリシーの判定に影響を与えない範囲で、送信知識判定部16が判定する。送信情報を送信すると判定されれば、いくつかの観測情報の代わりに送信情報を送信し、送信情報と観測情報からポリシーが満たされているかどうかを判定する。したがって、少ない情報の送信量でセキュリティ監視できる。 In the present embodiment, the transmission knowledge determination unit 16 determines whether or not to transmit transmission information in which a plurality of pieces of observation information are collected as transmission information within a range that does not affect policy determination. If it is determined to transmit the transmission information, the transmission information is transmitted instead of some observation information, and it is determined whether the policy is satisfied from the transmission information and the observation information. Therefore, security can be monitored with a small amount of information transmission.
 第3の実施形態
 図5を参照すると、本実施形態のセキュリティ監視システムは、第2の実施形態のセキュリティ監視システムの構成に送信知識生成部20をさらに有している。 Third Embodiment Referring to FIG. 5, the security monitoring system of this embodiment further includes a transmission knowledge generation unit 20 in the configuration of the security monitoring system of the second embodiment.
 送信知識生成部20は、ポリシー格納部12からポリシーを取り出し、該ポリシーを構成する観測情報のうち、複数の観測情報を組み合わせて新しい状態を定義し、複数の観測情報の代わりに送信情報を利用しても、ポリシーの判定に影響が生じない、または、状態数が増加しない組み合わせを抽出し、その対応を送信知識として送信知識格納部15に格納する。ポリシーの判定に影響が生じないまたは状態数が増加しない観測情報の組み合わせとは、同じ機器内にあってかつ同一の観測情報の組み合わせが存在するか、または、観測情報の組み合わせのうちその組み合わせを構成する観測情報の一部が、他のポリシーに出現したり、他の観測情報と組み合わされて利用されたりしていない状態の組み合わせである。送信知識の具体例を図10に示す。 The transmission knowledge generation unit 20 extracts the policy from the policy storage unit 12, defines a new state by combining a plurality of observation information among the observation information constituting the policy, and uses the transmission information instead of the plurality of observation information Even so, a combination that does not affect policy determination or does not increase the number of states is extracted, and the correspondence is stored in the transmission knowledge storage unit 15 as transmission knowledge. A combination of observation information that does not affect policy judgment or the number of states does not increase is the same observation information combination in the same device, or the combination of observation information. A part of the observation information to be configured is a combination of states that do not appear in other policies or are not used in combination with other observation information. A specific example of transmission knowledge is shown in FIG.
 次に、本実施の形態の全体の動作について図5および図6のフローチャートを参照して詳細に説明する。 Next, the overall operation of the present embodiment will be described in detail with reference to the flowcharts of FIGS.
 まず、ポリシー入力部11を用いてポリシーを入力し、ポリシー格納部12に格納する(ステップ301)。次に、送信知識生成部20が、入力されたポリシーと観測知識からポリシーに含まれる観測情報の中でまとめて送信可能なものを抽出し、新たに送信情報を対応付け、送信知識格納部15に格納する(ステップ302)。次に、システム分析部14が、観測知識格納部13から観測知識を読み込み、システムを分析し、観測情報の値を決定する(ステップ303)。以降は、第2の実施の形態と同じである(ステップ304)。 First, a policy is input using the policy input unit 11 and stored in the policy storage unit 12 (step 301). Next, the transmission knowledge generation unit 20 extracts from the input policy and observation knowledge what can be transmitted collectively from the observation information included in the policy, and newly associates the transmission information with the transmission knowledge storage unit 15 (Step 302). Next, the system analysis unit 14 reads the observation knowledge from the observation knowledge storage unit 13, analyzes the system, and determines the value of the observation information (step 303). The subsequent steps are the same as in the second embodiment (step 304).
 次に、本実施の形態の効果について説明する。 Next, the effect of this embodiment will be described.
 本実施の形態では、ポリシーと観測知識とを用いて複数の観測情報と対応付けが可能な送信情報を生成するというように構成されている。したがって、あらかじめ送信知識を生成することなく通信量を削減したリスク分析ができる。 This embodiment is configured to generate transmission information that can be associated with a plurality of observation information using a policy and observation knowledge. Therefore, it is possible to perform risk analysis with reduced communication volume without generating transmission knowledge in advance.
 図7を参照すると、監視対象システムとしてPC1とネットワーク機器2があり、それらを監視するためのシステム監視用PC3がある。PC1とネットワーク機器2には、各機器を分析するシステム分析部14と送信知識判定部16と情報送信部17が含まれている。一方、システム監視用PC3には、ポリシー入力部11とポリシー格納部12とポリシー判定部19と送信知識格納部15と送信知識変換部18と観測知識格納部13が含まれている。 Referring to FIG. 7, there are a PC 1 and a network device 2 as monitoring target systems, and a system monitoring PC 3 for monitoring them. The PC 1 and the network device 2 include a system analysis unit 14, a transmission knowledge determination unit 16, and an information transmission unit 17 that analyze each device. On the other hand, the system monitoring PC 3 includes a policy input unit 11, a policy storage unit 12, a policy determination unit 19, a transmission knowledge storage unit 15, a transmission knowledge conversion unit 18, and an observation knowledge storage unit 13.
 はじめに、ユーザがポリシー作成手段(不図示)を用いて観測情報を組み合わせたセキュアな状態をポリシーとして定義する。 First, a user defines a secure state as a policy by combining observation information using a policy creation means (not shown).
 たとえば、次の観測情報があるとする。
ネットワーク機器2のフィルタリングルールを表す観測情報:Deny#rule
PC1に導入されたファイアウォールソフトのフィルタリングルールを表す観測情報:ClientFWStatus
PC1に導入されたOSのフィルタリングルールを表す観測情報:OSFWStatus
PC1のネットワーク接続状態を表す観測情報:NetworkStatus
PC1のIPアドレスをあらわす観測情報:IPAddress For example, consider the following observation information:
Observation information indicating filtering rules for network device 2: Deny # rule
Observation information indicating filtering rules of firewall software installed on PC1: ClientFWStatus
Observation information indicating the filtering rules of the OS installed on PC1: OSFWStatus
Observation information indicating the network connection status of PC1: NetworkStatus
Observation information representing the IP address of PC1: IPAddress
 これらの監視状態を用いたポリシーとして、たとえば、外部からの接続はフィルタリングを適用する(p1)か、それができない場合はネットワークを切断する(p2)、というポリシーの場合(ここではp1がp2に優先するとする)
p1 = (IPAddress in Deny#rule)∨(ClientFWStatus = enable)∨(OSFWStatu=enable)
p2 = (NetworkStatus = disable) As a policy using these monitoring states, for example, a policy of applying filtering to external connections (p1) or disconnecting the network if it cannot be done (p2) (here p1 is set to p2) (Assuming priority)
p1 = (IPAddress in Deny # rule) ∨ (ClientFWStatus = enable) ∨ (OSFWStatu = enable)
p2 = (NetworkStatus = disable)
 次に、送信知識判定部16が、送信知識とポリシーから送信情報を決定する。図10の送信知識を参照すると、送信情報pc11として、ClientFWStatus、OSFWStatus、NetworkStatus、IPAddressが対応付けられ、pc13としてClientFWStatus、OSFWStatus、NetworkStatus、pc14として、ClientFWStatus、OSFWStatus、が対応付けられている。ここで、NetworkStatusと他の観測情報はp1、p2に分割されているため、NetworkStatusと他の観測情報をまとめているpc11やpc13を送信すると、p1、p2それぞれが判定できなくなってします。すなわちpc11やpc13を送信することができない。一方で、pc14に含まれるClientFWStatusとOSFWStatusは、同一のポリシー内に含まれている。そこで、ClientFWStatusとOSFWStatus の二つの観測情報を元に含まれるポリシーを抜き出すと次のようになる。
(ClientFWStatus = enable)∨(OSFWStatu=enable)
また、本ポリシーには、この部分以外にClientFWStatusとOSFWStatuは出現しないため、この部分の判定結果をまとめて送付してもポリシーの判定には影響しない。そこで、(ClientFWStatus = enable)∨(OSFWStatu=enable)をまとめてpc14として、pc14の値だけを送信する。 Next, the transmission knowledge determination unit 16 determines transmission information from the transmission knowledge and policy. Referring to the transmission knowledge in FIG. 10, ClientFWStatus, OSFWStatus, NetworkStatus, and IPAddress are associated with the transmission information pc11, and ClientFWStatus, OSFWStatus, NetworkStatus, and pc14 are associated with ClientFWStatus, OSFWStatus, NetworkStatus, and pc14. Here, NetworkStatus and other observation information are divided into p1 and p2, so if you send pc11 or pc13 that summarizes NetworkStatus and other observation information, each of p1 and p2 cannot be judged. That is, pc11 and pc13 cannot be transmitted. On the other hand, ClientFWStatus and OSFWStatus included in pc14 are included in the same policy. Therefore, if the policy included based on the two observation information of ClientFWStatus and OSFWStatus is extracted, it will be as follows.
(ClientFWStatus = enable) ∨ (OSFWStatu = enable)
In addition to this part, ClientFWStatus and OSFWStatu do not appear in this policy, so sending judgment results in this part together does not affect the policy judgment. Therefore, (ClientFWStatus = enable) ∨ (OSFWStatu = enable) is collectively set as pc14, and only the value of pc14 is transmitted.
 なお、以上説明したセキュリティ監視システムは、その機能を実現するためのプログラムを、コンピュータ読み取り可能な記録媒体に記録して、この記録媒体に記録されたプログラムをコンピュータに読み込ませ、実行するものであってもよい。コンピュータ読み取り可能な記録媒体とは、フレキシブルディスク、光磁気ディスク、CD-ROM等の記録媒体、コンピュータシステムに内蔵されるハードディスク装置等の記憶装置を指す。さらに、コンピュータ読み取り可能な記録媒体は、インターネットを介してプログラムを送信する場合のように、短時間、動的にプログラムを保持するもの(伝送媒体もしくは伝送波)、その場合のサーバとなるコンピュータ内の揮発性メモリのように、一定時間プログラムを保持しているものを含む。 The security monitoring system described above records a program for realizing the function on a computer-readable recording medium, and causes the computer to read and execute the program recorded on the recording medium. May be. The computer-readable recording medium refers to a recording medium such as a flexible disk, a magneto-optical disk, and a CD-ROM, and a storage device such as a hard disk device built in the computer system. Further, the computer-readable recording medium is a medium that dynamically holds the program for a short time (transmission medium or transmission wave) as in the case of transmitting the program via the Internet, and in the computer serving as a server in that case Such as a volatile memory that holds a program for a certain period of time.
 以上本発明の好ましい実施形態を特定の用語を用いて説明したが、そのような記載は例示のみを目的としており、種々の変形および修正が以下の特許請求の範囲から外れることなく可能であることが理解されるべきである。 Although preferred embodiments of the present invention have been described above using specific terms, such descriptions are for illustrative purposes only and various changes and modifications can be made without departing from the scope of the following claims. Should be understood.
 この出願は、2009年1月7日に出願された日本出願特願2009-001490を基礎とする優先権を主張し、その開示を全てここに取り込む。 This application claims priority based on Japanese Patent Application No. 2009-001490 filed on January 7, 2009, the entire disclosure of which is incorporated herein.

Claims (15)

  1.  機器のセキュリティ状態を表す観測情報を複数取得し、前記観測情報に基づいてポリシーによるセキュリティ判定をするセキュリティ監視方法であって、
     関連性のある観測情報をまとめて代表情報で定義した送信情報を保持し、
     前記観測情報の代わりに前記送信情報だけでもポリシーによるセキュリティ判定が可能か否かを判断し、
     可能な場合前記観測情報の全部または一部の代わりに前記送信情報を送信する、
     セキュリティ監視方法。     A security monitoring method for acquiring a plurality of observation information indicating a security state of a device, and performing security judgment based on a policy based on the observation information,
    Hold the transmission information defined in the representative information together with related observation information,
    Determine whether security determination by policy is possible only with the transmission information instead of the observation information,
    Sending the transmission information instead of all or part of the observation information, if possible,
    Security monitoring method.
  2.  前記送信情報の伝送量は、前記複数の観測情報の伝送量より少ない、請求項1に記載のセキュリティ監視方法。 The security monitoring method according to claim 1, wherein a transmission amount of the transmission information is smaller than a transmission amount of the plurality of observation information.
  3.  前記複数の観測情報を、ポリシーの判定結果に影響を与えない前記観測情報の数より少ない数の送信情報にまとめる、請求項1に記載のセキュリティ監視方法法。 The security monitoring method according to claim 1, wherein the plurality of pieces of observation information are collected into a smaller number of pieces of transmission information than the number of pieces of observation information that do not affect a policy determination result.
  4.  前記送信情報の候補を決定し、前記観測状態の数と前記送信情報の候補数を比較し、前記送信情報の候補数が少ない場合に、前記送信情報を送信する、請求項3に記載のセキュリティ監視方法。 The security according to claim 3, wherein the transmission information candidates are determined, the number of observation states is compared with the number of transmission information candidates, and the transmission information is transmitted when the number of transmission information candidates is small. Monitoring method.
  5.  前記送信情報をあらかじめ決定し、監視手段に送信情報を通知する、請求項1から4に記載のセキュリティ監視方法。 5. The security monitoring method according to claim 1, wherein the transmission information is determined in advance and the transmission information is notified to a monitoring means.
  6.  前記観測情報と前記送信情報を用いて、それらの情報が、ポリシーを満たすかどうかを判定する、請求項1から5のいずれかに記載のセキュリティ監視方法。 6. The security monitoring method according to claim 1, wherein the observation information and the transmission information are used to determine whether or not the information satisfies a policy.
  7.  前記観測情報と前記送信情報を用いて、それらの情報が、観測情報のセキュアな組み合わせを定義したセキュリティポリシーを満たすかどうかを判定する、請求項1から5のいずれかに記載のセキュリティ監視方法。 6. The security monitoring method according to claim 1, wherein the observation information and the transmission information are used to determine whether or not the information satisfies a security policy that defines a secure combination of the observation information.
  8.  送信情報と、送信情報にまとめられた観測情報の組み合わせを用いて、送信された送信情報を観測情報に置き換え、それらの観測情報がポリシーを満たしているかどうかを判定する、請求項6または7に記載のセキュリティ監視方法。 The transmission information and the observation information collected in the transmission information are used to replace the transmitted transmission information with the observation information, and it is determined whether or not the observation information satisfies the policy. The security monitoring method described.
  9.  送信情報と、送信情報にまとめられた観測情報の組み合わせを用いて、送信された観測情報と送信情報にあわせて、ポリシー内の観測情報を送信情報に置き換え、置き換えられた送信情報がセキュリティポリシーを満たすかどうかを判定する、請求項6または7に記載のセキュリティ監視方法。 Using the combination of the transmission information and the observation information collected in the transmission information, the observation information in the policy is replaced with the transmission information in accordance with the transmitted observation information and the transmission information. The security monitoring method according to claim 6 or 7, wherein it is determined whether or not the condition is satisfied.
  10.  監視対象システムがセキュアかどうかを判定する基準となるポリシーを格納したポリシー格納手段と、
     監視対象システムがセキュアかどうかを判定するために、各機器の情報である観測情報と、その観測情報の分析方法を記述した観測知識が格納された観測知識格納手段と、
     前記観測知識格納手段に格納された観測知識を元に監視対象システムの状態を分析するシステム分析手段と、
     前記システム分析手段が分析したすべての観測情報を送信する代わりに、送信すべき知識である、送信情報と観測情報との組み合わせを格納した送信知識格納手段と、
     前記システム分析手段が分析した観測情報を受け取り、前記ポリシー格納手段からポリシーを受け取り、個々の観測情報を送信する代わりに送信情報を送信してもポリシーの判定に影響を与えないかどうかを、前記送信知識格納手段に格納された情報を基に判定する送信知識判定手段と、
     観測情報と、前記送信知識判定手段が、ポリシーの判定に影響を与えないと判定した送信情報とを送信する情報送信手段と、
     有するセキュリティ監視システム。     A policy storage means for storing a policy as a reference for determining whether the monitored system is secure;
    In order to determine whether the monitored system is secure, observation information that is information on each device, and observation knowledge storage means that stores observation knowledge describing the analysis method of the observation information,
    System analysis means for analyzing the state of the monitored system based on the observation knowledge stored in the observation knowledge storage means;
    Instead of transmitting all the observation information analyzed by the system analysis means, transmission knowledge storage means for storing a combination of transmission information and observation information, which is knowledge to be transmitted;
    Whether the system analysis means receives the analyzed observation information, receives the policy from the policy storage means, and transmits the transmission information instead of transmitting the individual observation information, whether or not the policy determination is affected. Transmission knowledge determination means for determining based on information stored in the transmission knowledge storage means;
    Information transmission means for transmitting observation information and transmission information determined by the transmission knowledge determination means not to affect policy determination;
    Having security monitoring system.
  11.  前記情報送信手段から送信されてきた観測情報と送信情報を元にポリシー判定が可能なように、観測情報だけで構成された前記ポリシーを、前記情報送信手段が送信した送信情報と観測情報とで構成されるように変換する送信知識変換手段と、
     前記送信情報と観測情報が前記ポリシーを満たすか否か判定するポリシー判定手段と、
     をさらに有する、請求項10に記載のセキュリティ監視システム。     The policy composed only of observation information is determined by the transmission information and observation information transmitted by the information transmission means so that the policy can be determined based on the observation information and transmission information transmitted from the information transmission means. Transmission knowledge conversion means for converting to be configured;
    Policy determination means for determining whether the transmission information and the observation information satisfy the policy;
    The security monitoring system according to claim 10, further comprising:
  12.  前記ポリシー格納手段からポリシーを取り出し、該ポリシーを構成する観測情報のうち、複数の観測情報を組み合わせて新しい状態を定義し、複数の観測情報の代わりに送信情報を利用しても、ポリシーの判定に影響が生じない、または、状態数が増加しない組み合わせを抽出し、その対応を送信知識として前記送信知識格納手段に格納する送信知識生成手段をさらに有する、請求項11に記載のセキュリティ監視システム。 A policy is determined even if a policy is extracted from the policy storage means, a new state is defined by combining a plurality of observation information among the observation information constituting the policy, and transmission information is used instead of the plurality of observation information. The security monitoring system according to claim 11, further comprising: transmission knowledge generating means for extracting combinations that do not affect the number of states or that do not increase the number of states and store the combinations as transmission knowledge in the transmission knowledge storage means.
  13.  監視対象システムがセキュアかどうかを判定するために、各機器の情報である観測知識と、その観測知識の分析方法が格納された観測知識格納手段に格納された観測知識を元に監視対象システムの状態を分析するシステム分析手順と、
     前記システム分析手順が分析した観測知識を受け取り、監視対象システムがセキュアかどうかを判定する基準となるポリシーを格納したポリシー格納手段からポリシーを受け取り、個々の観測知識を送信する代わりに送信情報を送信してもポリシーの判定に影響を与えないかどうかを、前記システム分析手順が分析したすべての観測情報を送信する代わりに送信すべき知識である、送信情報と観測情報との組み合わせを格納した送信知識格納手段に格納された情報を基に判定する送信知識判定手順と、
     観測情報と、前記送信知識判定手順が、ポリシーの判定に影響を与えないと判定した送信情報とを送信する情報送信手順と、
     をコンピュータに実行させるためのセキュリティ監視プログラム。     In order to determine whether the monitoring target system is secure, the monitoring target system is based on the observation knowledge stored in the observation knowledge storage means storing the observation knowledge that is the information of each device and the analysis method of the observation knowledge. System analysis procedure to analyze the condition,
    Receives the observation knowledge analyzed by the system analysis procedure, receives the policy from the policy storage means storing the policy serving as a reference for determining whether the monitored system is secure, and transmits the transmission information instead of transmitting the individual observation knowledge Transmission that stores a combination of transmission information and observation information, which is knowledge that should be transmitted instead of transmitting all the observation information analyzed by the system analysis procedure as to whether or not the policy judgment will be affected. A transmission knowledge determination procedure for determining based on information stored in the knowledge storage means;
    An information transmission procedure for transmitting observation information and transmission information determined by the transmission knowledge determination procedure not to affect policy determination;
    Security monitoring program that causes a computer to execute.
  14.  前記情報送信手順によって送信されてきた観測情報と送信情報を元にポリシー判定が可能なように、観測情報だけで構成された前記ポリシーを、前記情報送信手順によって送信され送信情報と観測情報とで構成されるように変換する送信知識変換手順と、
     前記送信情報と観測情報が前記ポリシーを満たすか否か判定するポリシー判定手順と、
     をさらに有する、請求項10に記載のセキュリティ監視プログラム。     In order to enable policy determination based on the observation information and the transmission information transmitted by the information transmission procedure, the policy composed only of the observation information is determined by the transmission information and the observation information transmitted by the information transmission procedure. A transmission knowledge conversion procedure for converting to be configured; and
    A policy determination procedure for determining whether the transmission information and the observation information satisfy the policy;
    The security monitoring program according to claim 10, further comprising:
  15.  前記ポリシー格納手段からポリシーを取り出し、該ポリシーを構成する観測情報のうち、複数の観測情報を組み合わせて新しい状態を定義し、複数の観測情報の代わりに送信情報を利用しても、ポリシーの判定に影響が生じない、または、状態数が増加しない組み合わせを抽出し、その対応を送信知識として前記送信知識格納手段に格納する送信知識生成手順をさらにコンピュータに実行させる、請求項14に記載のセキュリティ監視プログラム。 A policy is determined even if a policy is extracted from the policy storage means, a new state is defined by combining a plurality of observation information among the observation information constituting the policy, and transmission information is used instead of the plurality of observation information. 15. The security according to claim 14, further comprising: causing a computer to further execute a transmission knowledge generation procedure for extracting a combination that does not affect the transmission or the number of states does not increase and stores the combination as transmission knowledge in the transmission knowledge storage unit. Monitoring program.
PCT/JP2009/071426 2009-01-07 2009-12-24 Security monitoring method, security monitoring system, and security monitoring program WO2010079694A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US13/133,722 US20110265184A1 (en) 2009-01-07 2009-12-24 Security monitoring method, security monitoring system and security monitoring program
JP2010545720A JP5447394B2 (en) 2009-01-07 2009-12-24 Security monitoring method, security monitoring system, and security monitoring program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2009-001490 2009-01-07
JP2009001490 2009-01-07

Publications (1)

Publication Number Publication Date
WO2010079694A1 true WO2010079694A1 (en) 2010-07-15

Family

ID=42316463

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/071426 WO2010079694A1 (en) 2009-01-07 2009-12-24 Security monitoring method, security monitoring system, and security monitoring program

Country Status (3)

Country Link
US (1) US20110265184A1 (en)
JP (1) JP5447394B2 (en)
WO (1) WO2010079694A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8943364B2 (en) * 2010-04-30 2015-01-27 International Business Machines Corporation Appliance for storing, managing and analyzing problem determination artifacts
JP7373803B2 (en) 2020-09-29 2023-11-06 パナソニックIpマネジメント株式会社 Information transmitting device, server, and information transmitting method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007045150A1 (en) * 2005-10-15 2007-04-26 Huawei Technologies Co., Ltd. A system for controlling the security of network and a method thereof
US8291483B2 (en) * 2007-04-30 2012-10-16 Hewlett-Packard Development Company, L.P. Remote network device with security policy failsafe
CN101442436A (en) * 2007-11-20 2009-05-27 国际商业机器公司 IP network management method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
IBM TIVOLI RISK MANAGER KANRISHA GUIDE VERSION 4.2, 31 January 2004 (2004-01-31), pages 1 - 17, 101 TO 105 *
IBM TIVOLI RISK MANAGER USERS GUIDE VERSION 4.1, 31 December 2002 (2002-12-31), pages 1 - 40, 153 TO 155 *

Also Published As

Publication number Publication date
JPWO2010079694A1 (en) 2012-06-21
US20110265184A1 (en) 2011-10-27
JP5447394B2 (en) 2014-03-19

Similar Documents

Publication Publication Date Title
Schiller et al. Landscape of IoT security
JP5164073B2 (en) Communication network design method, program, and recording medium
CN103209174B (en) A kind of data prevention method, Apparatus and system
Junior et al. A Survey on Trustworthiness for the Internet of Things
US11645144B2 (en) Methods and systems securing an application based on auto-learning and auto-mapping of application services and APIs
CN105723378A (en) Protection system including security rule evaluation
CN107800565A (en) Method for inspecting, device, system, computer equipment and storage medium
JP5145907B2 (en) Security operation management system, method, and program
Chenine et al. A framework for wide-area monitoring and control systems interoperability and cybersecurity analysis
Valdez et al. How to discover IoT devices when network traffic is encrypted
Bai et al. Refined identification of hybrid traffic in DNS tunnels based on regression analysis
US20070214242A1 (en) Network configuration change evaluation program, network configuration change evaluation device, and network configuration change evaluation method
Grammatikis et al. Secure and private smart grid: The spear architecture
JP5447394B2 (en) Security monitoring method, security monitoring system, and security monitoring program
Dorsch et al. Enabling hard service guarantees in Software-Defined Smart Grid infrastructures
KR101910788B1 (en) Method for attacker profiling in graph database corresponding incident
Cha et al. A blockchain-enabled IoT auditing management system complying with ISO/IEC 15408-2
Mulazzani et al. Anonymity and monitoring: how to monitor the infrastructure of an anonymity system
US11546356B2 (en) Threat information extraction apparatus and threat information extraction system
CN110519337A (en) A kind of judgement of node state, acquisition method and state decision-making device, state acquisition device
CN113168460A (en) Method, device and system for data analysis
Jeon et al. Passive fingerprinting of scada in critical infrastructure network without deep packet inspection
Drago et al. Report of the second workshop on the usage of NetFlow/IPFIX in network management
Shi et al. Checking network security policy violations via natural language questions
Olivero Asset Discovery Tools Supporting Cybersecurity Inventory

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09837579

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 13133722

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: 2010545720

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09837579

Country of ref document: EP

Kind code of ref document: A1